We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Data Breach Triggers Concerns About IoT Technology and COPPA

Generating concerns about the Internet of Things technology—particularly in the context of children—VTech suffered a data breach that exposed the personal data of almost 5 million adults and more than 6 million kids.

The Hong Kong-based toy company offers a "Kid Connect" service that allows parents to use smartphones to talk to kids who use toy tablets and other devices. But the company admitted in late November that a hacker gained access to the company's servers and made off with the names, e-mail addresses, home addresses, and passwords of more than 4.8 million parents, and the names, genders, and birthdays of approximately 6.4 million children. The hacker also gained access to chat logs between kids and their parents, kid selfies, and voice recordings.

The company accepted responsibility for the breach (stating that "our database was not as secure as it should have been") and acknowledged that the majority of the children and adults implicated in the hack were in the United States.

Lawmakers and regulators were quick to act. The Attorneys General of both Connecticut and Illinois announced plans to investigate the breach, while Sen. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas) sent a letter to the company requesting information on its data security and use practices.

"This breach raises several questions about what information VTech collects on children, how that data is protected, and how VTech complies with [COPPA]," the legislators wrote. They asked for information the company collected from children 12 years old or younger for each product and other sources, such as social media.

In addition, the co-founders of the Congressional Privacy Caucus asked how VTech uses the data collected about children. Will it make the toy or product properly function and if not, then why is it collected, they wondered. The letter also asked what methods VTech uses to protects its customers' data (such as encryption), whether the company shares or sells information to third parties or data brokers, and what steps are being taken to prevent future breaches.

The lawmakers gave the company until January 8, 2016 to respond to the inquiry.

Why it matters: As the Internet of Things continues to grow, the industry faces challenges in addressing regulatory and consumer concerns with regard to data security and privacy. The VTech hacking incident only fuels those worries, particularly since the theft of children's information implicated COPPA.

Related topic hubs

Compare jurisdictions: Data Security & Cybercrime

"This is a very good resource and I appreciate receiving it everyday. Each newsletter has a great deal of content and the daily feed allows you to 'pace' yourself. The content is relevant to the areas that I address and the articles are written by counsel who are very experienced in these areas and can communicate in a meaningful and effective way."